search cancel

FTP with TLS encryption not working for user – works if user has NON-CNCL ACF2 attribute

book

Article ID: 214622

calendar_today

Updated On:

Products

ACF2 - z/OS

Issue/Introduction

TLS encryption not working for users connecting to FTP server. No access to private key.

The ACF2 keyring where the various certificates reside has a default certificate.
When a file transfer is initiated from the mainframe to the FTP secure server,
the default certificate is read with its private key, even if the default certificate is not required
when performing a handshake with an external server.
In cases where the logonid performing the transfer is ‘NON-CNCL’, the user performs the read of the private key without any issue.

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

To resolve this problem, create a keyring where only the root and intermediate signing certificates
of the server certificate are added.
In this case, no default user certificate is involved and the handshake to the external server can be accomplished.

Additional Information

The reason that NON-CNCL would allow access to keyring and certificate private key is because
NON-CNCL would allow access to the RDATALIB class resource ring_owner.ringname.LST.

Configure Key Rings and Certificates for TLS Applications